RubyGems - leakferret - Versions diffs - 0.1.3 → 0.1.5 - Mend

leakferret 0.1.3 → 0.1.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 77f46588fbab40b45095c4654047ef78ab41203036e77e3df34e6c0af9396777
-  data.tar.gz: '079c0db268161032b79eac1e49fee61f785aa334a242680f95d7c8a7d260d8f7'
+  metadata.gz: 76c68f883d5148243bbbc769400108fd4acab2dbedfbe4356bc62ffb1ddbd2c7
+  data.tar.gz: e9452a82c26c262c521b7810ff7f4db37194c2b6dccfab3536ca602a32795c06
 SHA512:
-  metadata.gz: 89f676f8d255335e83d820a5c962a723cc6434039b56180e2e0bdddcb017bc2d03d765139a00fe5827e6c1b82125a351617bd0cec8a225d9332e76f18231c339
-  data.tar.gz: 151b37249dbf4a8d743bc142d8dfb0815a16e5a7833be451dfa0640316026d21fa36e5215785552e683693594f4ed1bc614145401235edccb29fcc8a4aa62736
+  metadata.gz: 5f01616255b47c496492a3103d58ea290741996ac5554dfd1e9865312d13b1ef733e4ec0a0638fcf0d4b0d690331cb759cf0d1a4ecfcc855f6a0f21c7e40c6e6
+  data.tar.gz: 52ae9da0cfcfa2532963ade79b5eb63ecd665f37129a0dbe7824a47e83c7b3c8ecdccb347043c5a76083cd20a931b1b3216fb5f4cc8208b24695930f1af96982

data/README.md CHANGED Viewed

@@ -49,8 +49,9 @@ from your machine to the provider — leakferret has no servers.
 gem install leakferret
 ```
-This downloads `leakferret-{version}-{platform}.tar.gz` from GitHub Releases and
-unpacks the binary into `lib/leakferret/bin/`.
+The platform binary (`leakferret-{version}-{platform}.tar.gz` from GitHub
+Releases) is downloaded automatically on first use and cached under your home
+directory — no Rust toolchain required.
 Add it to a `Gemfile` for project-local use:
@@ -95,8 +96,91 @@ findings = Leakferret.rewrite('.', backend: 'doppler')
 Leakferret.rewrite('.', apply: true)
 ```
-Each `Finding` is a hash with `path`, `line`, `column`, `pattern`, `severity`,
-`verdict`, `match_redacted`, `confidence`, `verification`, and `fingerprint`.
+Each `Finding` is a hash with `path`, `line`, `column`, `pattern`, `severity`
+(`critical`/`high`/`medium`/`low`), `verdict` (`real`/`fixture`/`unknown`),
+`match_redacted`, `confidence`, `verification`, and `fingerprint`.
+## Rewrite a leak
+`rewrite` turns a hardcoded secret into an env-var lookup and helps you move it
+into a secret manager:
+```bash
+leakferret rewrite . --dry-run-diff               # preview the change, touch nothing
+leakferret rewrite . --apply                      # write `ENV.fetch("KEY")` in place + add to .env.example
+leakferret rewrite . --apply --backend doppler    # also print seed commands for your manager
+```
+`--backend` accepts `env` (default), `vault`, `doppler`, `aws-secrets-manager`,
+`infisical`. By default it only rewrites findings confirmed **REAL/live**; add
+`--include-unknown` to also fix unconfirmed candidates.
+## Use it in CI
+leakferret is one binary with clear exit codes (`0` = clean, `1` = findings), so
+it drops into any CI. The recommended pattern: **baseline once**, then `verify`
+on every build so you only fail on *new* secrets.
+```bash
+# One-time, on a repo that may already have findings:
+leakferret baseline init            # fingerprints current findings (HMAC, never the raw secret)
+git add .leakferret-baseline.json   # commit it — the per-repo salt is auto-gitignored
+```
+After that, `verify` ignores anything in the baseline and fails only on new leaks.
+**GitHub Actions** — use the dedicated action (uploads SARIF to Code Scanning):
+```yaml
+- uses: leakferrethq/leakferret-action@v1
+  with: { path: ., fail-on: any }
+```
+**CircleCI:**
+```yaml
+jobs:
+  secrets:
+    docker: [{ image: cimg/ruby:3.3 }]
+    steps:
+      - checkout
+      - run: gem install leakferret
+      - run: leakferret verify . --format sarif > leakferret.sarif
+      - store_artifacts: { path: leakferret.sarif }
+```
+**GitLab CI / Argo Workflows / Jenkins / anything else** — identical recipe:
+```bash
+gem install leakferret
+leakferret verify .                 # exits 1 on any REAL finding -> fails the job
+```
+Useful flags: `--only-verified` (fail only on provider-confirmed live keys),
+`--verify-mode ever-verified` (with a baseline, fail on anything that *ever*
+verified live), `--format sarif|json`.
+## Use it with AI agents (MCP)
+leakferret is also an MCP server, so a coding agent (Cursor, Claude, Continue)
+can scan, verify, and rewrite *before it commits*. Add it to your editor's MCP
+config:
+```json
+{
+  "mcpServers": {
+    "leakferret": { "command": "leakferret", "args": ["mcp"] }
+  }
+}
+```
+In **Cursor**: Settings → MCP → Add. In **Claude Desktop**: the `mcpServers`
+block of `claude_desktop_config.json`. Tools exposed: `scan_repository`,
+`classify_candidates`, `verify_finding`, `propose_rewrite`, `baseline_diff`.
+> Running `leakferret mcp` directly in a terminal looks like it hangs — that's
+> correct. It's a stdio JSON-RPC server waiting for your editor to connect, not
+> a command you run by hand.
 ## Using a local binary

data/lib/leakferret/version.rb CHANGED Viewed

@@ -2,10 +2,10 @@
 module Leakferret
   # The gem's own version.
-  VERSION = '0.1.3'
+  VERSION = '0.1.5'
   # The native binary release this gem downloads. Tracks the leakferret
   # core release, which may move independently of the gem's own version
   # (e.g. a gem-only bugfix).
-  BINARY_VERSION = '0.1.1'
+  BINARY_VERSION = '0.1.3'
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: leakferret
 version: !ruby/object:Gem::Version
-  version: 0.1.3
+  version: 0.1.5
 platform: ruby
 authors:
 - Maria Khan